Create a User

This API is used to create a new User.

Request#

API Key Authentication
Create a User with a randomly generated Id
POST/api/user
OpenAPI Spec
API Key Authentication
Create a User with the provided unique Id
POST/api/user/{userId}
OpenAPI Spec

Request Headers#

X-FusionAuth-TenantIdStringoptional

The unique Id of the tenant used to scope this API request.

When only a single tenant is configured the tenant Id can be assumed and this additional header is optional. Once more than one tenant has been configured in FusionAuth the tenant Id is required for this request. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

Request Parameters#

userIdUUIDoptionalDefaults to secure random UUIDImmutable

The Id to use for the new User. If not specified a secure random UUID will be generated.

You must specify either the email or the username or both for the User. Either of these values may be used to uniquely identify the User and may be used to authenticate the User. These fields are marked as optional below, but you must specify at least one of them.

Request Body#

applicationIdUUIDoptionalAvailable since 1.30.0

An optional Application Id that is used to resolve the application-specific email or message template to use when transactional notifications are configured. Transactional notifications include setup password, email verification, and others.

If not provided, only the tenant configuration will be used when resolving templates.

disableDomainBlockBooleanoptionalDefaults to falseAvailable since 1.30.0

A tenant has the option to configure one or more email domains to be blocked in order to restrict email domains during user create or update.

Setting this property equal to true will override the tenant configuration. See tenant.registrationConfiguration.blockedDomains in the Tenant API.

sendSetPasswordEmailBooleanoptionalDefaults to falseDEPRECATED

If true, FusionAuth will send the User an email asking them to set their password. The Email Template that is used is the one specified in the setPasswordEmailTemplateId .

When you set this value to true, any provided password field is ignored.

If you have also enabled email verification and do not skip verification with the skipVerification parameter, only the setup password email will be sent to the user. Setting up the password using the email sent during this user create operation will verify the User's email if it is not already verified.

If the SMTP email configuration is not complete, or disabled, this value is ignored.

Deprecated since 1.59.0

In version 1.59.0 and beyond, prefer the sendSetPasswordIdentityType field.

sendSetPasswordIdentityTypeStringoptionalDefaults to doNotSendAvailable since 1.59.0

If set, FusionAuth will send the User a message asking them to set their password. When you set this value to anything but doNotSend, any provided password field is ignored.

The possible values are:

  • doNotSend - Do not send a set password request.
  • email - The Email Template that is used is the one specified in the setPasswordEmailTemplateId. If the SMTP email configuration is not complete, or disabled, this value is ignored.
  • phone - The Message Template that is used is the one specified in the setPasswordTemplateId. If a Messenger is not selected in the tenant.phoneConfiguration.messengerId field, this value is ignored.

If you have also enabled phone or email verification and do not skip verification with the skipVerification parameter, only the setup password email or SMS message will be sent to the user. Setting up the password using the email or SMS sent during this user create operation will verify the User's email or phone number if it is not already verified.

skipVerificationBooleanoptionalDefaults to false

Indicates to FusionAuth that it should skip email and phone verification even if it is enabled. This is useful for creating admin or internal User accounts.

Setting this to true will, for all identities created or updated in this request:

  • Set user.identities[x].verified field to false
  • Set user.identities[x].verifiedReason field to Skipped, which will exempt this identity from any verification gating requirements configured at the tenant level
  • Set user.verified field to true (if an email identity was created or added)
user.birthDateStringoptional

An ISO-8601 formatted date of the User's birthdate such as YYYY-MM-DD.

user.dataObjectoptional

An object that can hold any information about a User that should be persisted. Please review the limits on data field types as you plan for and build your custom data schema.

user.data.emailStringoptional

This field will be used as the email address if no user.email field is found. This field may be modified by advanced registration forms or the API. Setting this value to another account's email address allows that account to, in some cases, access information about this user.

If user richard has a user.data.email with a value of dinesh@fusionauth.io, whoever controls dinesh@fusionauth.io has elevated access to the richard account. That user can now reset the password on the richard account, for example. This functionality may be useful in certain scenarios, such as when accounts must share an email address. Think through the security ramifications before using this feature.

This feature was removed in version 1.26.0 and added back in in 1.27.2.

user.emailStringoptional

The User's email address. An email address is unique in FusionAuth and stored in lower case.

If email is not provided, then the username or phoneNumber will be required.

user.encryptionSchemeStringoptional

The method for encrypting the User's password.

The possible values are:

You can also create your own password encryptor. See the Custom Password Hashing section for more information.

user.expiryLongoptional

The expiration instant of the User's account. An expired user is not permitted to login.

user.factorStringoptional

The factor used by the password encryption scheme. If not provided, the PasswordEncryptor provides a default value. Generally this will be used as an iteration count to generate the hash. The actual use of this value is up to the PasswordEncryptor implementation.

user.firstNameStringoptional

The first name of the User.

user.fullNameStringoptional

The User's full name as a separate field that is not calculated from firstName and lastName.

user.imageUrlStringoptional

The URL that points to an image file that is the User's profile image.

user.lastNameStringoptional

The User's last name.

user.legacyIdentifierStringoptionalAvailable since 1.67Immutable

Used to override the sub claim in tokens issued by the Legacy Identity Provider Adapter.

This value is immutable after the user is created. It must be unique within the tenant when non-null.

user.middleNameStringoptional

The User's middle name.

user.membershipsArrayoptional

The list of memberships for the User.

user.memberships[x].dataObjectoptional

An object that can hold any information about the User for this membership that should be persisted.

user.memberships[x].groupIdUUIDrequired

The Id of the Group of this membership.

user.memberships[x].idUUIDoptionalDefaults to secure random UUID

The unique Id of this membership. If not specified a secure random UUID will be generated.

user.mobilePhoneStringoptional

The User's mobile phone number. This is useful to send the User push notifications or SMS messages.

user.mobilePhone is a user attribute that cannot be used to log in. For logging in with a phone number, see user.phoneNumber.

user.parentEmailStringoptionalAvailable since 1.7.0

The email address of the user's parent or guardian. This field is used to allow a child user to identify their parent so FusionAuth can make a request to the parent to confirm the parent relationship.

Family configuration must be enabled in the tenant Family configuration and the corresponding family email templates must be configured for FusionAuth to notify the parent during user creation.

user.passwordStringoptional

The User's plain text password. This password will be hashed and the provided value will never be stored and cannot be retrieved.

user.passwordChangeRequiredBooleanoptionalDefaults to false

Indicates that the User's password needs to be changed during their next login attempt. This does not apply if the user has no password.

user.phoneNumberStringoptionalAvailable since 1.59.0

The phone number of the User. The phone number is stored and returned in E.164 canonical format, however a phone number is considered unique regardless of the format. 303-555-1212 is considered equal to +13035551212 so either version of this phone number can be used whenever providing it as input to an API.

If phoneNumber is not provided, then email or username will be required.

This differs from user.mobilePhone in that user.phoneNumber can be used to log in, just like an email address or a username.

user.preferredLanguagesArray<String>optional

An array of locale strings that give, in order, the User's preferred languages. These are important for email templates and other localizable text. See Locales.

The maximum number of allowed preferred languages is 20.

user.timezoneStringoptional

The User's preferred timezone. The string must be in an IANA time zone format. For example: America/Denver or US/Mountain.

user.twoFactor.methods[x].authenticator.algorithmStringoptional

The algorithm used by the TOTP authenticator. With the current implementation, this will always be HmacSHA1.

user.twoFactor.methods[x].authenticator.codeLengthIntegeroptional

The length of code generated by the TOTP. With the current implementation, this will always be 6.

user.twoFactor.methods[x].authenticator.timeStepIntegeroptional

The time-step size in seconds. With the current implementation, this will always be 30.

user.twoFactor.methods[x].emailStringoptional

The value of the email address for this method. Only present if user.twoFactor.methods[x].method is email.

user.twoFactor.methods[x].methodStringoptional

The type of this method. There will also be an object with the same value containing additional information about this method.

The possible values are:

  • authenticator
  • email
  • sms
user.twoFactor.methods[x].mobilePhoneStringoptional

The value of the mobile phone for this method. Only present if user.twoFactor.methods[x].method is sms.

user.twoFactor.methods[x].secretStringoptional

A base64 encoded secret.

This field is required when method is authenticator.

user.twoFactorDeliveryStringoptionalDefaults to NoneDEPRECATED

The User's preferred delivery for verification codes during a two-factor login request.

The possible values are:

  • None
  • TextMessage

When using TextMessage the User will also need a valid mobilePhone.

Removed in 1.26.0
user.twoFactorEnabledBooleanoptionalDefaults to falseDEPRECATED

Determines if the User has two-factor authentication enabled for their account or not.

See the Enable Two-Factor and Disable Two-Factor APIs as an alternative to performing this action using the User API.

Removed in 1.26.0
user.twoFactorSecretStringoptionalDEPRECATED

The Base64 encoded secret used to generate Two-Factor verification codes.

You may optionally use value provided in the secret field returned by the Two-Factor Secret API instead of generating this value yourself.

Unless you are using TextMessage as your delivery type, ensure you are able to share the secret with the User before enabling Two-Factor authentication. Beginning in version 1.17.0, if you do create a User with TextMessage set as the twoFactorDelivery type and you omit this value, the secret will be generated for you. The secret can be generated because it is not necessary to share the secret with the User for this delivery method.

When using None as the twoFactorDelivery this value will be required.

Removed in 1.26.0
user.usernameStringoptional

The username of the User. The username is stored and returned as a case sensitive value, however a username is considered unique regardless of the case. bob is considered equal to BoB so either version of this username can be used whenever providing it as input to an API.

If username is not provided, then email or phoneNumber will be required.

user.usernameStatusStringoptional

The current status of the username. This is used if you are moderating usernames via CleanSpeak. The possible values are:

  • ACTIVE - the username is active
  • PENDING - the username is pending approval/moderation
  • REJECTED - the username was rejected during moderation

This state is managed by CleanSpeak, it may be changed by setting it on this request.

verificationIdsArray<String>optionalAvailable since 1.62.0

An array of strings generated to create a user with identities that have already been verified.

These verificationIds:

  • Must be created using the Start Identity Verification API with an existingUserStrategy of mustNotExist
  • Must have already completed verification using the Complete Identity Verification API
  • Take precedence over the values in user.email and/or user.phoneNumber. The values in those fields must match those represented by the verificationIds.

Example Request JSON

{
  "applicationId": "368994e6-ba8a-49b5-8446-7b99ab1fffdf",
  "disableDomainBlock": false,
  "user": {
    "birthDate": "1976-05-30",
    "data": {
      "displayName": "Johnny Boy",
      "favoriteColors": [
        "Red",
        "Blue"
      ]
    },
    "email": "example@fusionauth.io",
    "encryptionScheme": "salted-sha256",
    "factor": 24000,
    "expiry": 1571786483322,
    "firstName": "John",
    "fullName": "John Doe",
    "imageUrl": "http://65.media.tumblr.com/tumblr_l7dbl0MHbU1qz50x3o1_500.png",
    "lastName": "Doe",
    "memberships": [
      {
        "data": {
          "externalId": "cc6714c6-286c-411c-a6bc-ee413cda1dbc"
        },
        "groupId": "2cb5c83f-53ff-4d16-88bd-c5e3802111a5"
      }
    ],
    "middleName": "William",
    "mobilePhone": "303-555-1234",
    "password": "supersecret",
    "passwordChangeRequired": false,
    "phoneNumber": "303-555-1212",
    "preferredLanguages": [
      "en",
      "fr"
    ],
    "timezone": "America/Denver",
    "twoFactor": {
      "methods": [
        {
          "authenticator": {
            "algorithm": "HmacSHA1",
            "codeLength": 6,
            "timeStep": 30
          },
          "secret": "aGVsbG8Kd29ybGQKaGVsbG8gaGVsbG8=",
          "method": "authenticator"
        },
        {
          "method": "sms",
          "mobilePhone": "555-555-5555"
        },
        {
          "method": "email",
          "email": "example@fusionauth.io"
        }
      ]
    },
    "usernameStatus": "ACTIVE",
    "username": "johnny123"
  }
}

Response#

The response for this API contains the User that was just created. The password, salt and other sensitive fields will not be returned on the API response.

Response Codes
CodeDescription
200The request was successful. The response will contain a JSON body.
400The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present.
401You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication.
500There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty.
503The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.
504One or more Webhook endpoints returned an invalid response or were unreachable. Based on the transaction configuration for this event your action cannot be completed. A stack trace is provided and logged in the FusionAuth log files.

Response Body#

tokenStringAvailable since 1.16.0

The access token, this string is an encoded JSON Web Token (JWT).

When the user will be sent a setup password email or sms message, this token will not be returned.

tokenExpirationInstantLongAvailable since 1.33.0

The instant the token will expire. If the response does not contain a token, this field will also be omitted from the response.

emailVerificationIdStringAvailable since 1.27.0

An email verification Id. When present, this will represent the user's current email verification Id.

When using FormField verification strategy, this is the first part of the pair of verification Ids, and the emailVerificationOneTimeCode is the second part. When ClickableLink is the verification strategy, this value is sensitive in that this value by itself can be used to verify the user's email address.

When ClickableLink is the verification strategy, this is the value that will have been emailed to the user in order to complete verification. If you have not configured SMTP, you may optionally use this value to use an out of band transport such as your own email service.

Prior to version 1.49.0, this value was only returned when using FormField verification strategy. Beginning in 1.49.0 the value is always returned when available.

emailVerificationOneTimeCodeStringAvailable since 1.49.0

An email one time code that will be paired with the emailVerificationId.

When FormField is the verification strategy, this is the value that will have been emailed to the user in order to complete verification. If you have not configured SMTP, you may optionally use this value to use an out of band transport such as your own email service.

This value will only be present when using the FormField verification strategy. When present, this is the value the user will need to enter to complete email verification.

verificationIdsArrayAvailable since 1.59.0

The list of all identity verifications that exist for a user. This includes the email and phone identities that a user may have. The values from emailVerificationId and emailVerificationOneTimeCode are legacy fields and will also be present in this list.

verificationIds[x].idStringAvailable since 1.59.0

An identity verification Id.

When using FormField verification strategy, FusionAuth provides two values, a verification Id (this value) and the verificationIds[x].oneTimeCode value.

When ClickableLink is the verification strategy, this is the value FusionAuth sends to the user in order to complete identity verification. If you have not configured SMTP or an SMS messenger, you may optionally use this value to use an out-of-band transport such as your own email service to deliver this value.

Note that when ClickableLink is the verification strategy, this value is sensitive in that it can be used to verify the user's email address or phone number.

verificationIds[x].oneTimeCodeStringAvailable since 1.59.0

A one time code that will be paired with the verificationIds[x].id.

When FormField is the verification strategy, this is the value FusionAuth sends to the user in order to complete verification. If you have not configured SMTP or an SMS messenger, you may optionally send this value using an out-of-band transport such as your own email service.

This value will only be present when using the FormField verification strategy. When present, this is the value the user will need to enter to complete email or phone verification.

verificationIds[x].typeStringAvailable since 1.59.0

The identity type that the verification Id is for. This identity type, along with verificationIds[x].value, matches exactly one identity via user.identities[x].type.

verificationIds[x].valueStringAvailable since 1.59.0

The identity value that the verification Id is for. This identity value, along with verificationIds[x].type, matches exactly one identity via user.identities[x].value.

user.activeBoolean

True if the User is active. False if the User has been deactivated. Deactivated Users will not be able to log in.

user.birthDateString

The User's birthdate formatted as YYYY-MM-DD

user.breachedPasswordLastCheckedInstantLong

The instant this user's password was last checked to determine if it is compromised.

user.connectorIdUUIDAvailable since 1.18.0

The unique Id of the Connector associated with the System of Record being used to authenticate the user.

user.cleanSpeakIdUUID

This Id is used by FusionAuth when the User's username is sent to CleanSpeak to be moderated (filtered and potentially sent to the approval queue). It is the content Id of the username inside CleanSpeak.

user.dataObject

An object that can hold any information about the User that should be persisted.

user.data.emailString

This field will be used as the email address if no user.email field is found.

This feature was removed in version 1.26.0 and added back in 1.27.2.

user.emailString

The User's email address.

user.expiryLong

The expiration instant of the User's account. An expired user is not permitted to log in.

user.firstNameString

The first name of the User.

user.fullNameString

The User's full name as a separate field that is not calculated from firstName and lastName.

user.idUUID

The User's unique Id.

user.identitiesArrayAvailable since 1.59.0

The list of identities that exist for a User.

user.identities[x].displayValueStringAvailable since 1.59.0

The display value for the identity. Only used for username type identities. If the unique username feature is not enabled, this value will be the same as user.identities[x].value. Otherwise, it will be the username the User has chosen. For primary username identities, this will be the same value as user.username.

user.identities[x].insertInstantLongAvailable since 1.59.0

The instant when the identity was created.

user.identities[x].lastLoginInstantLongAvailable since 1.59.0

The instant when the identity was last used to log in. If a User has multiple identity types (username, email, and phoneNumber), then this value will represent the specific identity they last used to log in. This contrasts with user.lastLoginInstant, which represents the last time any of the User's identities was used to log in.

Identity provider logins will not be reflected here (see user.lastLoginInstant for a field that includes identity provider logins).

user.identities[x].lastUpdateInstantLongAvailable since 1.59.0

The instant when the identity was last updated.

user.identities[x].moderationStatusStringAvailable since 1.59.0

The current status of the username. This is used if you are moderating usernames via CleanSpeak. The possible values are:

  • ACTIVE - the username is active
  • PENDING - the username is pending approval/moderation
  • REJECTED - the username was rejected during moderation

If a username has been rejected, it is still possible to allow the User to update it and have the new one moderated again.

Only used for username type identities. For primary username identities, this will be the same value as user.usernameStatus.

user.identities[x].typeStringAvailable since 1.59.0

The identity type. The possible values are:

  • email - identities defined by an email address
  • phoneNumber - identities defined by a phone number
  • username - identities defined by a username
user.identities[x].valueStringAvailable since 1.59.0

The value represented by the identity. The contents of this field depend on user.identities[x].typeand will be one of the following:

  • Email address - The User's email address, always lower cased. For primary email identities, this will be the same value as user.email
  • Phone number - The User's phone number, in E.164 canonical format. For primary phone number identities, this will be the same value as user.phoneNumber
  • Username - User's username - this will be the same as user.identities[x].displayValue. For primary username identities, this will be the same value as user.username

This value is unique within a tenant for a particular user.identities[x].type.

If the unique usernames feature is enabled, value will be the unique username (within the tenant). For primary username identities, this will also be the same value as user.uniqueUsername.

user.identities[x].verifiedBooleanAvailable since 1.59.0

Whether verification was actually performed on the identity by FusionAuth. This is used in combination with the user.identities[x].verifiedReason to decide whether an identity needs verification.

user.identities[x].verifiedInstantLongAvailable since 1.59.0

The instant when verification was performed on the identity. This field is only populated when verification was actually performed on the identity by FusionAuth.

user.identities[x].verifiedReasonStringAvailable since 1.59.0

The reason the User's identity was verified or not verified. The possible values are:

  • Skipped - Verification was skipped due to the skipVerification parameter on the request
  • Trusted - Identity was created via an identity provider or a connector
  • Unverifiable - FusionAuth doesn't know how to verify this identity type. Usernames are an example
  • Implicit - Verification was implicitly performed by sending a set password or passwordless message
  • Pending - Tenant policy requires verification but no verification has been performed yet
  • Completed - Verification was performed by FusionAuth
  • Disabled - Tenant policy did not require verification
  • Import - User was imported so verification was not performed by FusionAuth

If this field is Disabled, Import, Skipped, Trusted, or Unverifiable, then verification will not be required, regardless of the user.identities[x].verified value. For Implicit, Pending, or Completed, the identity will require verification if user.identities[x].verified is false.

user.imageUrlString

The URL that points to an image file that is the User's profile image.

user.insertInstantLong

The instant when the user was created.

user.lastLoginInstantLong

The instant when the User logged in last. See user.identities[x].lastLoginInstant for more granular information based on identity.

user.lastNameString

The User's last name.

user.lastUpdateInstantLong

The instant when the User was last updated.

user.legacyIdentifierStringAvailable since 1.67

Used to override the sub claim in tokens issued by the Legacy Identity Provider Adapter.

This value is immutable after the user is created and is unique within the tenant when non-null.

user.middleNameString

The User's middle name.

user.mobilePhoneString

The User's mobile phone number. This is useful if you will be sending push notifications or SMS messages to the User.

This differs from user.phoneNumber and cannot be used to log in.

user.parentEmailStringAvailable since 1.7.0

The email address of the user's parent or guardian. If this value was provided during a create or update operation, this value will only remain until the child is claimed by a parent.

user.passwordChangeRequiredBoolean

Indicates that the User's password needs to be changed during their next login attempt.

user.passwordLastUpdateInstantLong

The instant that the User last changed their password.

Since version 1.59.0, if a user does not currently have a password, this field will not be returned in the response.

user.phoneNumberStringAvailable since 1.59.0

The User's primary phone number. The phone number is stored and returned in E.164 canonical format, however a phone number is considered unique regardless of the format. 303-555-1212 is considered equal to +13035551212 so either version of this phone number can be used whenever providing it as input to an API.

This differs from user.mobilePhone in that user.phoneNumber can be used to log in, just like an email address or a username.

user.preferredLanguagesArray<String>

An array of locale strings that give, in order, the User's preferred languages. These are important for email templates and other localizable text. See Locales.

user.registrationsArray

The list of registrations for the User. This will include registrations for inactive applications.

user.registrations[x].applicationIdUUID

The Id of the Application that this registration is for.

user.registrations[x].authenticationTokenString

The Authentication Token for this registration (if one exists).

user.registrations[x].cleanSpeakIdUUID

This Id is used by FusionAuth when the User's username for this registration is sent to CleanSpeak to be moderated (filtered and potentially sent to the approval queue). It is the content Id of the username inside CleanSpeak.

user.registrations[x].dataObject

An object that can hold any information about the User for this registration that should be persisted.

user.registrations[x].idUUID

The Id of this registration.

user.registrations[x].insertInstantLong

The instant that this registration was created.

user.registrations[x].lastLoginInstantLong

The instant that the User last logged into the Application for this registration.

user.registrations[x].preferredLanguagesArray<String>

An array of locale strings that give, in order, the User's preferred languages for this registration. These are important for email templates and other localizable text.

user.registrations[x].rolesArray<String>

The list of roles that the User has for this registration. The string is the role's Name not the role's Id, e.g. admin or user-role.

user.registrations[x].timezoneString

The User's preferred timezone for this registration. The string will be in an IANA time zone format.

user.registrations[x].tokensMap<String,StringDEPRECATED

A map that contains tokens returned from identity providers.

For example, if this user has authenticated using the Facebook Identity Provider, the Facebook access token will be available in this map, keyed by name Facebook. For an OpenID Connect Identity provider, or other generic providers, if a token is stored it will be keyed by the Identity Provider unique Id.

Removed in 1.28.0

The token returned and stored from the Identity Provider is now stored in the IdP link and is retrievable using the Identity Provider Link API.

user.registrations[x].usernameString

The username of the User for this registration only. This is for display purposes and cannot be used to log in.

user.registrations[x].usernameStatusString

The current status of the username. This is used if you are moderating usernames via CleanSpeak. The possible values are:

  • ACTIVE - the username is active
  • PENDING - the username is pending approval/moderation
  • REJECTED - the username was rejected during moderation

If a username has been rejected, it is still possible to allow the User to update it and have the new one moderated again.

user.registrations[x].verifiedBoolean

This value indicates if this User's registration has been verified.

For additional information, see these tutorials:

user.registrations[x].verifiedInstantLongAvailable since 1.48.0

The instant that this registration was verified.

user.tenantIdUUID

The Id of the Tenant that this User belongs to.

user.timezoneString

The User's preferred timezone. This can be used as a default to display instants, and it is recommended that you allow Users to change this per-session. The string will be in an IANA time zone format.

user.twoFactor.methods[x].authenticator.algorithmString

The algorithm used by the TOTP authenticator. With the current implementation, this will always be HmacSHA1.

user.twoFactor.methods[x].authenticator.codeLengthInteger

The length of code generated by the TOTP. With the current implementation, this will always be 6.

user.twoFactor.methods[x].authenticator.timeStepInteger

The time-step size in seconds. With the current implementation, this will always be 30.

user.twoFactor.methods[x].emailString

The value of the email address for this method. Only present if user.twoFactor.methods[x].method is email.

user.twoFactor.methods[x].idString

The unique Id of the method.

user.twoFactor.methods[x].lastUsedBoolean

true if this method was used most recently.

user.twoFactor.methods[x].methodString

The type of this method. There will also be an object with the same value containing additional information about this method. The possible values are:

  • authenticator
  • email
  • sms
user.twoFactor.methods[x].mobilePhoneString

The value of the mobile phone for this method. Only present if user.twoFactor.methods[x].method is sms.

user.twoFactorDeliveryStringDEPRECATED

The User's preferred delivery for verification codes during a two-factor login request.

The possible values are:

  • None
  • TextMessage
Removed in 1.26.0
user.twoFactorEnabledBooleanDEPRECATED

Determines if the User has two-factor authentication enabled for their account or not.

Removed in 1.26.0
user.usernameString

The username of the User.

user.usernameStatusString

The current status of the username. This is used if you are moderating usernames via CleanSpeak. The possible values are:

  • ACTIVE - the username is active
  • PENDING - the username is pending approval/moderation
  • REJECTED - the username was rejected during moderation

If a username has been rejected, it is still possible to allow the User to update it and have the new one moderated again.

user.verifiedBooleanDEPRECATED

Whether or not the User's primary email identity has been verified. This does NOT indicate whether phone number identity types are verified.

For additional information, see these tutorials:

Deprecated since 1.59.0

See user.identities[x].verified and user.identities[x].verifiedReason.

user.verifiedInstantLongAvailable since 1.48.0

The first instant that the User's primary email address or phone number was verified. This value is immutable and cannot change for a user once set.

Example Response JSON

{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImMxVU5ON0pIUVc4X21ROHBTaWZKbzBXekdybDlTbTRnIn0.eyJleHAiOjE1ODY4ODQzNzksImlhdCI6MTU4Njg4NDMxOSwiaXNzIjoiZnVzaW9uYXV0aC5pbyIsInN1YiI6IjAwMDAwMDAwLTAwMDAtMDAwMS0wMDAwLTAwMDAwMDAwMDAwMCIsImF1dGhlbnRpY2F0aW9uVHlwZSI6IlVTRVJfQ1JFQVRFIiwiZW1haWwiOiJ0ZXN0MEBmdXNpb25hdXRoLmlvIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInByZWZlcnJlZF91c2VybmFtZSI6InVzZXJuYW1lMCJ9.Z1jV8xDcayZZDBdLRVd2fIyowhstRI4Dgk7_u2XFerc",
  "user": {
    "active": true,
    "breachedPasswordLastCheckedInstant": 1471786483322,
    "breachedPasswordStatus": "None",
    "birthDate": "1976-05-30",
    "connectorId": "e3306678-a53a-4964-9040-1c96f36dda72",
    "data": {
      "displayName": "Johnny Boy",
      "favoriteColors": [
        "Red",
        "Blue"
      ]
    },
    "email": "example@fusionauth.io",
    "expiry": 1571786483322,
    "firstName": "John",
    "fullName": "John Doe",
    "id": "00000000-0000-0001-0000-000000000000",
    "identities": [
      {
        "insertInstant": 1742936980069,
        "lastLoginInstant": 1742936980069,
        "lastUpdateInstant": 1742936980069,
        "primary": true,
        "type": "email",
        "value": "example@fusionauth.io",
        "verified": false,
        "verifiedReason": "Disabled"
      },
      {
        "insertInstant": 1742936980069,
        "lastLoginInstant": 1742936980069,
        "lastUpdateInstant": 1742936980069,
        "primary": true,
        "type": "phoneNumber",
        "value": "+13035551212",
        "verified": false,
        "verifiedReason": "Disabled"
      },
      {
        "displayValue": "johnny123",
        "insertInstant": 1742936980069,
        "lastLoginInstant": 1742936980069,
        "lastUpdateInstant": 1742936980069,
        "moderationStatus": "ACTIVE",
        "primary": true,
        "type": "username",
        "value": "johnny123",
        "verified": false,
        "verifiedReason": "Unverifiable"
      }
    ],
    "imageUrl": "http://65.media.tumblr.com/tumblr_l7dbl0MHbU1qz50x3o1_500.png",
    "insertInstant": 1742936980069,
    "lastLoginInstant": 1742936980069,
    "lastName": "Doe",
    "memberships": [
      {
        "data": {
          "externalId": "cc6714c6-286c-411c-a6bc-ee413cda1dbc"
        },
        "groupId": "2cb5c83f-53ff-4d16-88bd-c5e3802111a5",
        "id": "27218714-305e-4408-bac0-23e7e1ddceb6",
        "insertInstant": 1742936980069
      }
    ],
    "middleName": "William",
    "mobilePhone": "303-555-1234",
    "passwordChangeRequired": false,
    "passwordLastUpdateInstant": 1742936980069,
    "phoneNumber": "+13035551212",
    "preferredLanguages": [
      "en",
      "fr"
    ],
    "registrations": [
      {
        "applicationId": "10000000-0000-0002-0000-000000000001",
        "data": {
          "displayName": "Johnny",
          "favoriteSports": [
            "Football",
            "Basketball"
          ]
        },
        "id": "00000000-0000-0002-0000-000000000000",
        "insertInstant": 1742936980069,
        "lastLoginInstant": 1742936980069,
        "preferredLanguages": [
          "en",
          "fr"
        ],
        "roles": [
          "user",
          "community_helper"
        ],
        "timezone": "America/Chicago",
        "username": "johnny123",
        "usernameStatus": "ACTIVE",
        "verified": true,
        "verifiedInstant": 1742936980069
      }
    ],
    "timezone": "America/Denver",
    "tenantId": "f24aca2b-ce4a-4dad-951a-c9d690e71415",
    "twoFactor": {
      "methods": [
        {
          "authenticator": {
            "algorithm": "HmacSHA1",
            "codeLength": 6,
            "timeStep": 30
          },
          "id": "35VW",
          "method": "authenticator"
        },
        {
          "id": "V7SH",
          "method": "sms",
          "mobilePhone": "555-555-5555"
        },
        {
          "email": "example@fusionauth.io",
          "id": "7K2G",
          "method": "email"
        }
      ]
    },
    "usernameStatus": "ACTIVE",
    "username": "johnny123",
    "verified": true,
    "verifiedInstant": 1742936980069
  }
}